Attackers offer 500000 plus Zoom users’ data on hackers’ forums and darknet
IntSights specialist discovered that over 500000 zoom accounts are sold on darknet and hackers’ forums. The data include in an account includes user’s credentials (email, passwords), as well as meeting IDs, host names and keys. It was a relatively small database containing only about 2300 records.
A researcher from IntSights said“A database found on a darknet can contain partial information, but in other cases you can find a complete set of data in it, including a PIN code for all open sessions. Having access to the URL, identifier and PIN code, the attacker gets the opportunity to both enter the video conference and take control of it (and, for example, start removing participants just for fun)”.
Now Cybersecurity from Cyble also agreed with the view of the InSights and reported half a million records is available. They said, the credentials they found are the result of an attack of the credential stuffing type.
Credential Stuffing refers to a typical situation where usernames and passwords are stolen from some sites and then used against other users. That is, the attackers have a database of credentials (purchased on the darknet, collected independently, and so on) and try to use this data to log in to any sites and services.
The Zoom trading accounts were reported on April 1, 2020. As per the experts, some attackers including University of Vermont, the University of Colorado, Dartmouth College, the University of Florida gave away hacked accounts for free, thus trying to gain a reputation in the hacker community.
On contacting several victims from the list using provided email addresses, it has been confirmed that such accounts exist. One of such victims told that the mentioned password was an old one, so, some credentials were probably the result of older credential stuffing attacks.
Noticing this trading, Cyble specialists contacted him and agreed to purchase a large number of accounts to warn the users about the problems arise. They acquire the information about approximately 530,000 Zoom accounts at cost of $0.0020 per account. They were able to confirm about data authentication as well by checking the accounts owned by the company’s customers.
Information security specialists say “Reusing the same passwords is a bad idea, and we recommend that users, which practice this, should change passwords as soon as possible”
The attackers can spread using fake zoom domains. Google, SpaceX and NASA employees already refuse this app at current. We recommend you as well avoid using this application at all.